Last reviewed
Employment context

Austria  05.06.2018 No, the ADPA does not provide for special provisions on the processing of personal data in the context of employment. However, the Austrian Data Protection Authority always had a very strict and reluctant approach as regards the processing of employees' data which is expected to be upheld.
Belgium 08.10.2018 The BPA does not contain employment-related provisions.
Czech Republic 13.09.2018 n/a
Denmark 06.09.2018 § 12 permits data processing in the employment context when: 
(1)  it is necessary for compliance with employment obligations or rights laid down by law or collective agreements; 
(2)  it is necessary to pursue a legitimate interest arising from law or collective agreements, unless the interest is overridden by the rights and freedoms of the data subject;
(3) the data subject has given his or her consent.
Finland 13.11.2018 Section 30 of the Data Protection Act states that privacy in the employment context is covered by the Act on the Protection of Privacy in Working Life. The Ministry of Economic Affairs and Employment has suggested a few changes to the current act for it to comply with the GDPR. The government proposals for the changes are currently under review in the Parliamentary committees.
France 22.05.2018 The new French Data Protection Act does not change any provision of the French Labour Code. We are expecting another bill on this issue.
Germany 23.05.2018

§ 26 FDPA constitutes a basis for processing of employment data. The new rule keeps more or less the framework of the current rules on processing of HR data. The processing of employee data is generally allowed if necessary for establishing, carrying out or terminating the employment relationship (NB: subject to interpretation based on existing case law and guidance of DPAs). The GDPAA maintains the current restrictions for investigations of criminal conduct and now expressly mentions operating or service agreements (collective agreement) and collective bargaining agreements as possible legal basis for a processing of HR data. 

§ 26 FDPA also contains certain justifications for the use of special categories of employee data (""sensitive data"") and a definition of the term ""employee"". The GDPAA further provides clarification on consent, such as the circumstances when such consent is “freely given” in an employer-employee relationship. Legal and economic advantages are considered in this respect and in the reasoning of the GDPAA, for example, refers to the use of IT for private purposes or to receive health benefits. Under certain conditions, § 24(2) FDPA permits a change of purposes for sensitive data in HR context.

Hungary 17.05.2018 n/a
Ireland  12.09.2017  Under section 46 of the Act, subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects the processing of special categories of personal data shall be lawful where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law. 
Italy 17.05.2018 No material derogations. It should be highlighted that the Section 21 of the Draft states that the Italian DPA will identify, within 90 days following the entry into force of the Draft, which ones of the general regulatory measures (issued so far by Italian DPA itself) will remain fully valid in force (e.g. guidelines on biometric data, processing of data at work).
Netherlands 17.09.2018 No material derogations.

Based on article 9 (2) sub b GDPR, article 30(1) UAVG provides the exceptions to the prohibition to process health data in an employment context. Processing health data is not prohibited if the processing is done by employers or institutions working for them, and in so far as the processing is necessary for:
a. proper implementation of statutory regulations, pension schemes or collective agreements that provide for entitlements that depend on the health status of the data subject; or
b. the reintegration or supervision of employees or benefit recipients in connection with illness or incapacity for work.

Based on article 9 (2) sub g GDPR, article 25 UAVG provides the exceptions to the prohibition to process ethnical and racial data: such data can be processed for positive discrimination/equal treatment purposes.

Based on article 9 (2) sub g GDPR, article 29 UAVG provides the exceptions to the prohibition to process biometric data: such data can be processed for identification of an individual if the processing is necessary for authentication or security purposes.

Article 33(3) UAVG states that personal data of a criminal nature relating to personnel employed by the controller may only be processed if this is done in accordance with the procedures to follow based on the Works Councils Act.
Poland 07.09.2018

Employers are obliged to request an exhaustive list of data categories from job candidates and employees as set out in the Labour Code; if they want to collect more data directly from job candidates and employees, then consent is required, unless there is a special provision of law that entities to process this data (e.g. some criminal convictions of managing board members).

However, the processing of a candidate/employee's special categories of personal data by the (potential) employer on the basis of his/her explicit consent is not permitted unless such data is provided on the candidate/employee initiative. It is also prohibited in all circumstances to process a candidate/employee's personal data relating to criminal convictions and offences by the (potential) employer if such processing is based on his/her consent. The only basis for such processing is a legal obligation.

Employers may use (i) CCTV for the purpose of ensuring employees' security, protection of employer's property, production control, and information security; and (ii) monitor employees' emails for the purpose of ensuring the are appropriated for a work organization which allows for making full use of employees' working hours and appropriate usage of the working tools made available to them.

Slovakia 13.09.2018  An employer, as a controller, is allowed to process or publish personal data in the extent of title, name, surname, relevant position, employee's work ID, place of work, telephone number, fax number, email and employer's identification data, if it is necessary in relation to the fulfilment of work tasks and duties of the data subject. Such processing or publishing must not undermine data subject's seriousness, dignity and security. (Article 78 (3) of New DPA).
Spain 07.09.2018 Article 24 of the Spanish Data Protection Bill addresses whistleblowing and introduces for the first time the possibility for anonymous reporting. The provision regulates the whistleblowing systems in the private sector, as well as the creation and maintenance of procedures that provide safe channels for staff or other informants to report wrongdoings in companies. In light of the above, given that the information processed is sensitive and that leaks or unauthorised disclosure may have adverse consequences both for the whistleblowers and the individuals accused, companies are required by the Bill to take special care over the technical and organisational measures needed to mitigate the risks and ensure data security. Moreover, the Bill provides that whistleblowing data shall only be stored for a maximum of 3 months (unless the personal data was necessary for the investigation, in which case it could be stored longer).

Article 22 of the Bill allows CCTV recordings for the supervision of employees as part of the employment relationship. This provision regulates the processing of personal data with regards to video surveillance, and also provides that employers can process their employees' data obtained from video surveillance to monitor the employees, as long as this monitoring complies with Spanish Labour laws and employees are informed about video surveillance. The Bill provides that video surveillance footage shall only be stored for a maximum of 1 month (unless longer retention is justified as part of an ongoing investigation).
Sweden 06.09.2018 Paragraph 3:2 provides that it is permitted to process sensitive personal data pursuant to Article 9(2)(b) of the GDPR in the field of employment. In such cases, data may only be disclosed to a third party where employment law imposes such obligation on the controller or the data subject has explicitly consented to the disclosure.
UK 23.05.2018
  • Employment, social security and social protection
    For processing necessary to perform or exercise obligations or rights of the controller or of the data subject under employment, social security or social protection law, the Data Protection Act 2018 introduces a requirement on the controller to put into place an ""appropriate policy document"" 
    (Paragraph 1 of Schedule 1 to the Data Protection Act 2018).
    An appropriate policy document must:
  • explain the controller's procedures for complying with the data protection principles laid out in Article 5 of the GDPR;
  • explain the controller's policies as regards the retention and erasure of personal data, including providing an indication of how long the personal data are likely to be retained; and
  • be retained for as long as the processing takes place (and then for six months when the relevant processing ceases), review it from time to time (if appropriate), and make the policy document available to the ICO without charge (if requested).

The controller must additionally ensure that its records of processing activities (under Article 30 of the GDPR):

  • includes details on the controller's processing of personal data in the context of employment, social security and social protection;
  • describes how the processing satisfies Article 6 of the GDPR (lawfulness of processing); and
  • includes details on whether the personal data are retained and erased in accordance with the controller's policies.
    (Paragraphs 38 – 41 of Schedule 1 to the Data Protection Act 2018)

Employment references

The Data Protection Act 2018 restricts certain data subject rights, including subject access, with regard to employment references. For more information see 'Any other areas under discussion'.
(Paragraph 24 of Schedule 2 to the Data Protection Act 2018)

Enforced subject access

The Data Protection Act 2018 maintains the offence for requiring an individual to exercise their subject access rights to obtain a relevant record (largely relating to health, convictions and cautions, and statutory functions) as part of the recruitment or continued employment of that individual. For more information see 'Any other areas under discussion'.
(Section 177 of the Data Protection Act 2018)

Equal opportunity and treatment

The Data Protection Act 2018 allows employers, with certain restrictions, to consider ""specified"" categories of personal data (personal data revealing racial or ethnic origin, and religious or philosophical beliefs or personal data concerning health or an individual's sexual orientation) as part of equality of opportunity or treatment. Employers may also process data regarding racial and ethnic origin to promote and maintain diversity at senior levels of the organisation. For more information see 'Special rules for special categories of data'.
(Paragraphs 8 and 9 of Schedule 1 to the Data Protection Act 2018)